Any new organization starting out tends to focus more with their return on investments and calculating their hurdle rates. They might tell you that the last three things they want deal to with are; policies, plans & procedures. That’s when you as a cyber-security representative can take a plunge into their world and ask them; “When calculating hurdle rates, doesn’t that involve taking the appropriate compensation for the level of risk present?” Congratulations, you’ve just now bridged the gap between the business professional world and the cyber security professional world. This is the everyday reality when it comes to Risk Management. The persistent entangled roots of risk management are steadily grabbing hold & becoming an everyday part of each organization. Much like you witness roots finding their way through city sidewalks, risk management finds its way into just about every board room meeting. The fact at present remains; where there’s an organization there’s risk management. In CompTIA’s Security+ exam objectives Risk Management falls under Domain 5.0 and makes up 14% of the exam. The CompTIA Security+ exam is an internationally recognized certification which is also used by organizations and security professionals around the globe. With that, let’s jump into just a few sections from this domain’s exam objectives!
5.1 Explain the importance of policies, plans and procedures related to organizational security.
If you scroll down through the objectives you’ll get to 5.1 which covers the importance of policies, plans and procedures relating to organizational security. The plan is to cover one highlight within sections 5.1-5.5 of domain 5.0. In 5.1 it starts with standard operating procedures and closes the section with social media networks and personal email. It’s no accident when an experienced colleague decides to take a four week vacation and a new-hire is stuck at work in unfamiliar territory. Everyone enjoys a great vacation but usually each organization will have a specific standard operating procedure to follow in this particular circumstance. An organization typically has an overall standard operating procedure. Within the different sections of the organization there are usually what you call “desktop standard operating procedures”. For instance the IT section might have a procedure for re-imaging systems or shutting down a data center. You may or may not want to find yourself needing to shut down a data center without those procedures to refer to. Since each data center typically includes routers, switches, firewalls, backup servers, file servers, etc. Without the overall standard operating procedure chances are that there may not be a sectional operating procedure.
5.2 Summarize business impact analysis concepts.
Just going to throw this out there; what do business impact analysis concepts have to do with cyber security? As far as cyber security professionals are concerned; we just want to analyze network traffic, conduct vulnerability assessments, & catch malicious intruders. Trust the fact that you will indeed get to do that. However there needs to be an understanding that hardware will eventually fail and the company will find themselves scrambling for replacements. In this section there are a few business acronyms from RTO/RPO, MTBF and MTTR that will be covered and the rest of the section is pretty self-explanatory. First things first; RTO/RPO, it was already discussed that eventually hardware will fail on you. How much data can the company afford to lose before it impacts business operations, this is referred to as the recovery point object (RPO). There’s also a certain timeframe for applications and systems that will have to be restored after which a certain outage has occurred, this is referred to as the recovery time objective. Also most importantly, the RPO can also measure how often backups are conducted for the purpose of recreating after a data loss. For the last two acronyms in 5.2 (MTBF/MTTR) there’s a great resource to help with that, just check out the references section towards the end. Sometimes when studying course materials it’s recommended to break away and reference additional resources to accommodate the studying. For the MBTF or Mean Time Between Failures is what the average time is that passed between a failure and when the next failure happens. With the MTTR this just means the Mean Time to Repair, how long it takes for a repair after the failure occurred. There happens to be a few formulas to calculate both the MTTR and the MTBF. Just when folks didn’t think there was any math involved within the cyber security field. For calculating the Mean Time Between Failures (MTBF) involves the total time of correct operation in a period divided by the number of failures. For example; a system should operate for 9 hours, during this time 4 failures occurred. Using the formula below shows that a failure in the system occurs every five hours.
MBTF = (9-1)/4 = 2
Calculating the Mean Time to Repair (MTTR) is slightly similar. It’s the total hours of downtime caused by the system failures divided by the number of failures. Based on the information below there is an average time between each downtime revealed through the formula.
MTTR = 60 min/4 failures = 15 minutes
These are just a few examples, to study further please refer to the attached references. Most companies will not need to find out exactly how much time their systems are going to be down, unless you’re a company that hemorrhages funds as the systems are down. When they’re down they’re down, please contact the help desk or please contact your systems administrator to fix the issue.
5.3 Explain risk management processes and concepts.
Leaving math behind is always a welcomed break, as mentioned before it’s one of those things that you have to learn for the exam. If you’re one of the lucky ones that needs to use it for the company that hires you then at least the knowledge is there. Not to mention the large Security+ book that you can reference any time you need it as well. In this next section there are a handful of concepts to study and become comfortable with. The only thing that will be covered in this instance is the “Likelihood of occurrence”. The rest of the concepts will most assuredly be practiced on a regular basis once that job lands in your lap. The following over dramatized example of the “likelihood of occurrence” actually did occur at one point in time to a certain company.
A salty but very tired and over worked construction crew arrived very early on site one fall day in New England. After many attempts to psyche each other of up for the day the construction crew began digging as demanded by the fully rested foreman. Roughly one hour into the dig a loud noise of a distinctive metallic clang escaped from the ground. The backhoe operator reluctantly pulled the bucket slowly from the ground bringing an angry parade of water along with it. The foreman was about to give the crew a hard time when he realized he had them digging in the wrong area to begin with. The water line that was damaged happened to be the main line for the server room cooling unit at the business office next door.
One could guess what happens next; servers, routers and the rest of the typical networking equipment needs to maintain a certain temperature. If that same equipment runs too hot things start breaking down. Take into account that the likelihood of something happening is just a given reality. In order to prepare for the likelihood of this happening to your company it’s best to at least have the capabilities of tracking temperatures within your server room. There are many options out there but one of the most affordable solutions comes from CAS (Computer Aided Solutions, LLC) Data Loggers. They have a TandD Server Room Monitoring System that can send data straight to your phone with the T&D Thermo mobile app. To include actionable alarms that are sent directly to your work email. More information can be found in the references section below.
5.4 Given a scenario, follow incident response procedures.
Now that the subject is still fresh after the likelihood of something happening, this next section should fit the same mold. There are many companies that say that they have an incident response plan but don’t follow it. On the positive side at least they have one. This section starts with documenting the incident and ends with lessons learned. The main focus that will be covered here are roles and responsibilities. Knowing your position within the company as a cyber-security professional is forthright. However, knowing your position when it comes to incident response may have to be exercised and practiced. For starters there should at least be a hotline number to call within the organization. At the end of that line there should be a group of professionals that are familiar with incident response. One scenario might involve a recent scan that was administered using McAfee’s ePolicy Orchestrator. The scan revealed some sort of malicious code through DLL injection. Not knowing what that could involve or how it could affect the network would be a good enough reason to disconnect the ethernet cable right away. The next step would be to report the incident by using your organization’s hotline, if that’s not available then report directly to your supervisor. Next step would be to monitor and analyze any further escalation – do not shut the system down. Common reaction may involve shutting the system down but the auditing logs need to be running and monitoring the incident as well. The last step would involve containment and neutralization. Depending upon how severe the malicious activity is, some organizations may require full system recovery or reimaging. Each system should support an endpoint security solution that automatically contains malicious activity. That way you can review it then simply clear it from quarantine. Keep in mind that an antivirus program gives three options to take care of a virus: clean, quarantine or delete. In deleting a virus it would remove it from the system then it would no longer be available for evidence or reporting, so be sure you have everything you need before this action is taken. When cleaning the virus, this removes the infection from the file but doesn’t delete the actual file. Managing the virus in a safe location is when you would be quarantining the virus, it doesn’t delete the infected file or clean it. After the incident it always proves beneficial to knock out an after action review or a lessons learned to go over improvements or actions to sustainment in case something like that happened again.
5.5 Summarize basic concepts of forensics.
There’s a fair bundle of topics within this section that covers basic concepts of computer forensics. Remember once you take this exam and pass it, you would have completed the initial benchmark of becoming a cyber-security professional. All computers create logs of everything going on at the moment of startup to system shutdown. This section discusses network traffic and logs, if you’re using Windows 10 start typing “Event viewer” in the Cortana search window. If you’re using a Mac the event viewer is located within the Console app. Once you open up the application notice on the left pane that there is an extensive menu starting with “Custom Views” and ending with “Subscriptions”. As a cyber-security professional just starting out you would mainly be concerned with the “Application, Security, System and Printing” logs. This is a great way to have an idea of what a computer system keeps track of, each entry is followed by an event id along with a time stamp that can be looked up online to find out more details. There are many events that are collected that don’t apply to what you might be looking for. When dealing with monitoring the audit activity across a network it’s highly recommended to use a log parser or log analysis tools. The top ten tools out there for log management are; Chaossearch, Sumo Logic, Datadog Cloud Monitoring, Graylog, Loggly, SilverSky, Splunk, Honeycomb, EventTracker and Epsagon. The most recommended way to ensure that the material is grasped within this particular section is to conduct a little more research outside the course material. Once you schedule that exam and walk into that testing area to your assigned workstation remember this; “It always seems impossible until it’s done.” – Nelson Mandela
References:
Comments